EPIC logo

Privacy Preemption Watch

Introduction | Recent Developments | Policy Rationale | Resources | News | Cases | Previous Top News

Top News

Introduction

In the context of legislation, preemption refers to whether a law restricts the authority of states, counties, or cities to enact or enforce their own policies. Preemption is an issue of legislative power--if the federal government preempts the states on a field of law, that action effectively expands the jurisdiction of Congress to the detriment of states and local governments. Congress' power to preempt state and local laws stems from the Supremacy Clause of the U.S. Constitution.

Federal preemption can take two forms--federal floor and federal ceiling preemption. In most consumer and civil rights legislation, federal law serves as a floor of protections. This "federal floor preemption" only supersedes weaker state laws, and it allows states, counties, and local governments to pass stronger laws. Under federal floor preemption, federal law only supersedes state and local law that conflicts with or is contrary to federal law.

Conversely, "federal ceiling preemption" prevents states and other political entities from passing stronger laws. It can act as an absolute bar to state and local legislation or enforcement.

In analyzing laws, courts look to Congressional intent in order to determine whether Congress preempted state or local authority. In the absence of express legislative intent, by default federal floor preemption applies, allowing states and local authorities to enact or enforce stronger policies. However, courts will find that federal ceiling preemption can apply where Congress enacts a law that "occupies the field" of regulation and thereby leaves "no room" for state action. This is referred to as "field preemption." For instance, courts have found that federal interests are dominant in foreign affairs regulations, and have thus invalidated state laws in that field. Hines v. Davidowitz, 312 U.S. 52 (1941). However, health and safety matters are generally thought to be state concerns, and legislation in these areas are normally not preempted.

In the 1990s, the preemption debate focused mainly on state legislatures that were preempting counties, towns, and cities from passing legislation on tobacco regulation. The tobacco companies had discovered that they could operate effectively on the state level, and prevent towns from passing regulations on cigarette vending machines and indoor air quality. Members of state legislative bodies were more likely to be influenced by tobacco interests, as their policy making decisions occurred at a level of abstraction that removed them from actual consequences of the laws passed. Local politicians, on the other had, directly experienced and were more accountable for the regulations that they promulgated.

Preemption is controversial in a number of areas, including financial services, utilities regulation, product and food safety, workplace safety, minimum wage, health care, ERISA, and gun control. This web page focuses on the policy rationale underlying preemption and privacy legislation.

Recent Preemption Developments

Preemption and FCRA

Preemption is a frequently debated topic in the current Congress because provisions of the Fair Credit Reporting Act (FCRA) that preempt state law in six areas will soon expire. If Congress does not act to extend this preemption, state legislatures will be able to pass stronger consumer protections.

The FCRA, like many other privacy statutes, provides a federal baseline of protections for individuals. The FCRA is only partially preemptive, meaning that except in a few narrow circumstances, state legislatures may pass laws to supplement the protections made by the FCRA. For instance, some states have passed laws requiring the credit reporting agencies (CRAs) to provide reduced cost, or free credit reports.

In a number of important areas state legislation is preempted until January 1, 2004. After that date, states may enact stronger laws on prescreening (what constitutes a "firm offer" of credit, rules for opting out of receiving prescreened offers of credit), compliance duties (time in which a CRA must respond to reports of inaccuracies), user duties (notice and other requirements when a credit report is used for an adverse action), content of reports (length of time negative information can appear on the report), the duties of furnishers (accuracy of information provided, correction duties, notice of closed or disputed accounts), affiliate sharing, and the disclosures that CRAs must make to consumers.

In 1996, when the most recent amendments to the FCRA passed, certain state laws were grand fathered in, and are not preempted by the federal law. Stricter laws exist on affiliate sharing (Vermont) and on duties of furnishers (California and Massachusetts).

Preemption and the OCC

The Office of the Comptroller of the Currency (OCC) announced that it would amend its regulations regarding "visitorial powers" over national banks in 2003. Visitorial powers include the authority to supervise national banks through on-site examinations, and to take administrative enforcement action against national banks, such as proceedings for issuing cease and desist orders and civil penalties or ordering the removal of a national bank director or officer. The OCC's interpretation of these powers, however, would expand the agency's authority and eliminate the authority of states to sue national banks in court to enforce state laws, including consumer protection and privacy laws. EPIC filed comments opposing a broad reading of the OCC's visitorial powers in April 2003.

Preemption and Consumer Privacy

Preemption is a critical issue in the broader consumer privacy debate. H.R. 1636, the Consumer Privacy Protection Act of 2003, introduced by Representative Cliff Stearns (R-FL), contains a super-preemption clause that would supersede all state common and statutory law. Such a broad provision would prevent states from passing privacy laws in every sector (medical, financial, insurance, educational, etc.) and would prevent courts from developing new protections for privacy from state Constitutional and statutory provisions.

Policy Rationale

Historically Most Privacy Law Allows States to Provide Greater Protections

In privacy and consumer protection law, federal ceiling preemption is an aberration. Historically, federal privacy laws have not preempted stronger state protections or enforcement efforts. Federal consumer protection and privacy laws, as a general matter, operate as regulatory baselines and do not prevent states from enacting and enforcing stronger state statutes. The Electronic Communications Privacy Act, the Right to Financial Privacy Act, the Cable Communications Privacy Act, the Video Privacy Protection Act, the Employee Polygraph Protection Act, the Telephone Consumer Protection Act, the Driver's Privacy Protection Act, and the Gramm-Leach-Bliley Act all allow states to craft protections that exceed federal law.

Although the federal government has enacted privacy laws, most privacy legislation in the United States is enacted at the state level. Many states have privacy legislation on employment privacy (drug testing, background checks, employment records), Social Security Numbers, video rental data, credit reporting, cable television records, arrest and conviction records, student records, tax records, wiretapping, video surveillance, identity theft, library records, financial records, insurance records, privileges (relationships between individuals that entitle communications to privacy), and medical records.

The National Association of Attorneys General Privacy Subcommittee has also argued that the states have a traditional role in regulating privacy:

Consumer protection has traditionally been an area where the states' power to ensure fair competition and informed consumer choice has been preserved, not eliminated. This structure has worked well for many years and no need to alter it in the area of privacy has been demonstrated. Preemption of state law will only undermine consumer confidence in their dealings with the financial institutions, e-tailers and other on and offline businesses. This conclusion is especially powerful with respect to financial information, where Congress has already recognized the utility of privacy protections enacted at the state level.

There is a presumption in American law that state and local governments are primarily responsible for matters of health and safety. Hillsborough County v. Automated Medical Laboratories, 471 U.S. 707 (1985) (there is a "presumption that state or local regulation of matters related to health and safety is not invalidated under the Supremacy Clause"). Privacy is included in the category of health and safety issues as an area of regulation historically left to the states. For instance, in Hill v. Colorado, the Supreme Court upheld a law protecting the privacy and autonomy of individuals seeking medical care, as the law was intended to serve the "traditional exercise of the States' 'police power to protect the health and safety of their citizens.'" 530 U.S. 703 (2000).

Preemption Stops States From Performing In Their Traditional Role as "Laboratories of Democracy"

"It is one of the happy incidents of the federal system that a single courageous State may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country."
--New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting).

States enjoy a unique perspective that allows them to craft innovative programs to protect consumers. State legislatures are closer to their constituents and the entities they regulate. They are the first to see trends and problems, and are well-suited to address new challenges and opportunities that arise from evolving technologies and business practices.

An entire appendix to the 1977 Report of the Privacy Protection Study Commission was devoted to "Privacy Law in the States." This portion of the report speaks strongly to the value of state privacy protection:

Through constitutional, statutory, and common law protections, and through independent studies, the 50 States have taken steps to protect the privacy interests of individuals in many different types of records that others maintain about them. More often than not, actions taken by State legislatures, and by State courts, have been more innovative and far reaching than similar actions at the Federal level...the States have also shown an acute appreciation of the need to balance privacy interests against other social values.

The report concludes:

This volume [the appendix to the 1977 report] underscores the central role the States can play as protectors of personal privacy and, more broadly, individual liberty...The States have demonstrated that they can, and do, provide conditions for experiments that preserve and enhance the interests of the individual in our technological, information-dependent society.

State lawmakers have expressed similar observations about the role of diverse decision making authority. As North Carolina State Representative Dan Blue has argued:

Federal preemption of state and local law presents a very serious challenge to our constitutional system of federalism...One of the advantages of federalism is that allows for greater responsiveness and innovation through local self-government. State and local legislatures are accessible to every citizen. They work quickly to address problems identified by constituents. The large number of state and local legislatures encourages innovation. A new policy is tested in one jurisdiction. If it works, other jurisdictions try it. If a mistake is made, it can quickly be corrected. But, if the policy jurisdiction of a state or locality has been preempted, then it cannot respond and it cannot innovate.

Federal preemption can dilute more vigorous protections and policy debates that occur at the state level. Roopali Mukherjee and Rohan Samarajiva found in a detailed study (Regulating "Caller ID:" emulation and learning in US state-level telecommunication policy processes, Telecommunications Policy, Vol. 20 No. 7 pp. 531-542, 1996) of Caller ID policy approaches that the Federal Communications Commission's position was much weaker than those developed by the states:

...the FCC's rules deviated from the dominant trend state by state PUCs. Moreover, the FCC's rules pre-empted stronger protections effective in 37 states by that time...

...It appears that the FCC was effectively insulated from the emulation and learning processes at work at the state level...The FCC's record on telecommunications privacy issues is minimal. Outflow [of personal information] concerns, in particular, have received little or no attention. Where privacy concerns have been raised, the FCC has consistently overridden them with concerns regarding competition. Decisions on Customer proprietary Network Information (CPNI) and Automatic Number Identification (ANI) exemplify the FCC's stance...

...while the majority of state regulators moved to higher-privacy solutions by 1994, the FCC stayed with per-call blocking. This suggests that emulation and learning did not take place at the federal level. FCC Commissioners and staff were unlikely to have been heavily involved in policy networks in which state regulators participated quite vigorously. In the absence of learning from state-level networks, the FCC remained unconvinced about outflow concerns, and thereby with higher-privacy solutions.

State Legislators and Law Enforcers are More Accountable to the Public Interest

State and local governing bodies are more accountable to their constituents. As a result, it is likely that stronger protections will emerge from state and local legislatures, and more vigorous enforcement will be pursed by state actors.

There is a particular danger that preemption of state enforcement authority will leave individuals with no remedies to privacy violations. In the states, attorneys general are elected, and thus have direct pressure from constituents to enforce consumer protection laws. Since the federal attorney general and agency officials are appointed, there is a risk that they will be less accountable to the public as political appointees.

A common tactic of an industry wishing to dilute enforcement power is to lobby Congress in order to reduce funding of regulating agencies. For instance, Microsoft Corporation took this approach against the Department of Justice's Antitrust Division in order to frustrate the government's antitrust suit against the corporation. When this tactic is successful and there is no state or individual enforcement authority in a law, the individual may be left with no realistic option to enforce her rights.

EPIC Executive Director Marc Rotenberg has testified before Congress that one risk of federal ceiling preemption is that federal regulators may not be as responsive to individuals' problems:

As a general matter preemption is inconsistent with the structure of privacy law in the United States, and similar proposals have often killed important efforts to enact privacy legislation. But it is a particularly bad idea in this context where the FTC [Federal Trade Commission] would have so much control over the establishment of regulation as well as the provision of safe harbor status. Inadequate regulations or inattention to industry practices by the FTC could not be remedied by state or local authorities. States must retain the right to develop new safeguards to protect the interests of their citizens.

North Carolina State Representative Dan Blue argues a similar position:

Federal regulatory agencies are not always successful in their mission of protecting the public. Moreover, over the past twenty years there has been something of an abdication by the federal government in such fields as consumer, environmental, and public health and safety protection. And, federal regulation, is often sluggish, bogged down in the elaborate federal administrative process and able to respond only slowly to the demands of the public. Federal agencies, in other words, frequently are surpassed in performance by state officials who often can act quickly and effectively to protect their citizens.

States can act more quickly and aggressively because the structure of state administrative law is simpler and allows for swift decision-making. Also, state regulators are often more responsive to public opinion. For example, in most states, a popularly elected Attorney General is responsible for enforcement of antitrust, environmental, and consumer protection laws. State agencies, especially when they work cooperatively, also may have more law enforcement resources than comparable federal agencies. I would point in particular to the effectiveness of cooperative efforts of state attorneys general in addressing public health, consumer protection, and antitrust issues.

Appeals to Efficiency In Nationally-Uniform Laws Are Specious

Especially in the financial services and credit reporting areas, there has been an argument that a national ceiling of laws is needed in order to prevent "balkanization" or a "patchwork" of state laws. However, there is nothing that differentiates these business from other industries that operate at the national level with varying state laws. In fact, many states currently have credit reporting laws that increase protections for consumers, and reduce the costs for access to consumer credit reports.

As the National Association of Attorneys General Privacy Subcommittee has argued:

Many businesses...argue the importance of a single, federal standard by citing the need for uniformity. They assert that a "patchwork" of state laws will make compliance costly and may stifle the development of markets both on and offline. In fact, businesses have long accommodated themselves to a range of state consumer protection statutes while maintaining a profitable enterprise. Courts have, for years, engaged in a process of reconciling potentially or actually conflicting laws through application of established legal principles to various factual situations. Such a tailored response is especially appropriate with respect to evolving technologies and new applications of those technologies. This flexible approach accommodates the needs of both businesses and consumers, while preserving state sovereignty in an area where states have traditionally had a significant role.

The Same New Technologies That Have Enabled Profiling Could Enable Compliance With Different State Laws

Not enough attention has been paid to the possibility that the same technologies that enable profiling and consumer segmentation could be used for compliance with different state laws. There has never been a better time to experiment with this approach.

Resources

News

Cases

Previous Top News

Return to EPIC Home Page | EPIC Privacy Page

Last Updated: October 25, 2005
Page URL: http://www.epic.org/privacy/preemption/default.html